dcrat | f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2025, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nonagon.exe
Size

23KB
MD5

1b554731ea6b94e44ab6fe7ec45eb153
SHA1

1849707450548f79b4f8d941745c2c72199a7f00
SHA256

f679075808adffca9a26ade94cc8494ccc500333e8613708e9ba077d88d92a70
SHA512

96880df0242f41380e2877a3cac119e14ab062c4892040a3d8c9fe5fbc58ee6681729d1a1ca5c62427d4ad5ca76be1167d8811e9b4c35656e0c1000d660c06c1
SSDEEP

384:LD5Ry1Yg5MsZHalPXhZAiWGVDNr2mtbQ2E65wMxsWSjRSiKM3EMtR:zymgSCh2Ey/GWSjRSiKM3Nt

Score

10^/10

dcrat gurcu phemedrone umbral credential_access discovery infostealer persistence rat spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot7940307483:AAEmmDBRKx8kRMTrlD986B7qCulYd2jfQHw/sendDocumen

Signatures

DcRat 9 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2184	schtasks.exe
		2804	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"		Nonagon.exe
		6108	schtasks.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root		Nonagon.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat		RarExtPackage.exe
		5316	schtasks.exe
		464	schtasks.exe
		5904	schtasks.exe

Dcrat family
dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000024269-39.dat	family_umbral
behavioral2/memory/2596-65-0x000001B6E49D0000-0x000001B6E4A10000-memory.dmp	family_umbral

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5316	1512	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1512	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	1512	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1512	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1512	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	1512	schtasks.exe	98

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000c0000000240c3-21.dat	dcrat
behavioral2/files/0x000b0000000240c7-125.dat	dcrat
behavioral2/memory/3272-127-0x0000000000510000-0x0000000000602000-memory.dmp	dcrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
22	2220	Nonagon.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
640	chrome.exe
4008	chrome.exe
1032	chrome.exe
2068	chrome.exe
5728	chrome.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RarExtPackage.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	DebugTracker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 19 IoCs

pid	Process
4644	RarExtPackage.exe
2596	wtf1.exe
4796	wtf.exe
4748	cs2.exe
3272	DebugTracker.exe
4652	wininit.exe
4948	wininit.exe
2968	wininit.exe
2688	wininit.exe
2612	wininit.exe
4988	wininit.exe
6080	wininit.exe
4492	wininit.exe
2108	wininit.exe
3008	wininit.exe
4248	wininit.exe
4684	wininit.exe
4408	wininit.exe
4092	wininit.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Nvidia = "C:\\Program Files\\WinRAR\\RarExtPackage.exe"	Nonagon.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\RarExtPackage.exe	Nonagon.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\wtf1.exe	RarExtPackage.exe
File created	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File created	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File created	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\DebugTracker.exe	RarExtPackage.exe
File created	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\wtf.exe	RarExtPackage.exe
File opened for modification	C:\Windows\debug\cs2.exe	RarExtPackage.exe
File created	C:\Windows\debug\__tmp_rar_sfx_access_check_240615531	RarExtPackage.exe
File created	C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat	RarExtPackage.exe
File opened for modification	C:\Windows\debug\VUQLBafFd1oU7p3k.vbe	RarExtPackage.exe
File created	C:\Windows\debug\wtf1.exe	RarExtPackage.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RarExtPackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RarExtPackage.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	DebugTracker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
6108	schtasks.exe
5316	schtasks.exe
464	schtasks.exe
5904	schtasks.exe
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4796	wtf.exe
4748	cs2.exe
4748	cs2.exe
2068	chrome.exe
2068	chrome.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
4748	cs2.exe
3272	DebugTracker.exe
4652	wininit.exe
4948	wininit.exe
2968	wininit.exe
2688	wininit.exe
2612	wininit.exe
4988	wininit.exe
6080	wininit.exe
4492	wininit.exe
2108	wininit.exe
3008	wininit.exe
4248	wininit.exe
4684	wininit.exe
4408	wininit.exe
4092	wininit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	wtf.exe
Token: SeDebugPrivilege	2596	wtf1.exe
Token: SeIncreaseQuotaPrivilege	4156	wmic.exe
Token: SeSecurityPrivilege	4156	wmic.exe
Token: SeTakeOwnershipPrivilege	4156	wmic.exe
Token: SeLoadDriverPrivilege	4156	wmic.exe
Token: SeSystemProfilePrivilege	4156	wmic.exe
Token: SeSystemtimePrivilege	4156	wmic.exe
Token: SeProfSingleProcessPrivilege	4156	wmic.exe
Token: SeIncBasePriorityPrivilege	4156	wmic.exe
Token: SeCreatePagefilePrivilege	4156	wmic.exe
Token: SeBackupPrivilege	4156	wmic.exe
Token: SeRestorePrivilege	4156	wmic.exe
Token: SeShutdownPrivilege	4156	wmic.exe
Token: SeDebugPrivilege	4156	wmic.exe
Token: SeSystemEnvironmentPrivilege	4156	wmic.exe
Token: SeRemoteShutdownPrivilege	4156	wmic.exe
Token: SeUndockPrivilege	4156	wmic.exe
Token: SeManageVolumePrivilege	4156	wmic.exe
Token: 33	4156	wmic.exe
Token: 34	4156	wmic.exe
Token: 35	4156	wmic.exe
Token: 36	4156	wmic.exe
Token: SeDebugPrivilege	4748	cs2.exe
Token: SeIncreaseQuotaPrivilege	4156	wmic.exe
Token: SeSecurityPrivilege	4156	wmic.exe
Token: SeTakeOwnershipPrivilege	4156	wmic.exe
Token: SeLoadDriverPrivilege	4156	wmic.exe
Token: SeSystemProfilePrivilege	4156	wmic.exe
Token: SeSystemtimePrivilege	4156	wmic.exe
Token: SeProfSingleProcessPrivilege	4156	wmic.exe
Token: SeIncBasePriorityPrivilege	4156	wmic.exe
Token: SeCreatePagefilePrivilege	4156	wmic.exe
Token: SeBackupPrivilege	4156	wmic.exe
Token: SeRestorePrivilege	4156	wmic.exe
Token: SeShutdownPrivilege	4156	wmic.exe
Token: SeDebugPrivilege	4156	wmic.exe
Token: SeSystemEnvironmentPrivilege	4156	wmic.exe
Token: SeRemoteShutdownPrivilege	4156	wmic.exe
Token: SeUndockPrivilege	4156	wmic.exe
Token: SeManageVolumePrivilege	4156	wmic.exe
Token: 33	4156	wmic.exe
Token: 34	4156	wmic.exe
Token: 35	4156	wmic.exe
Token: 36	4156	wmic.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeDebugPrivilege	3272	DebugTracker.exe
Token: SeDebugPrivilege	4652	wininit.exe
Token: SeDebugPrivilege	4948	wininit.exe
Token: SeDebugPrivilege	2968	wininit.exe
Token: SeDebugPrivilege	2688	wininit.exe
Token: SeDebugPrivilege	2612	wininit.exe
Token: SeDebugPrivilege	4988	wininit.exe
Token: SeDebugPrivilege	6080	wininit.exe
Token: SeDebugPrivilege	4492	wininit.exe
Token: SeDebugPrivilege	2108	wininit.exe
Token: SeDebugPrivilege	3008	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2068	chrome.exe
2068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 4644	2220	Nonagon.exe	90
PID 2220 wrote to memory of 4644	2220	Nonagon.exe	90
PID 2220 wrote to memory of 4644	2220	Nonagon.exe	90
PID 4644 wrote to memory of 1000	4644	RarExtPackage.exe	91
PID 4644 wrote to memory of 1000	4644	RarExtPackage.exe	91
PID 4644 wrote to memory of 1000	4644	RarExtPackage.exe	91
PID 4644 wrote to memory of 2596	4644	RarExtPackage.exe	92
PID 4644 wrote to memory of 2596	4644	RarExtPackage.exe	92
PID 4644 wrote to memory of 4796	4644	RarExtPackage.exe	94
PID 4644 wrote to memory of 4796	4644	RarExtPackage.exe	94
PID 4644 wrote to memory of 4748	4644	RarExtPackage.exe	95
PID 4644 wrote to memory of 4748	4644	RarExtPackage.exe	95
PID 4748 wrote to memory of 2068	4748	cs2.exe	96
PID 4748 wrote to memory of 2068	4748	cs2.exe	96
PID 2068 wrote to memory of 5068	2068	chrome.exe	97
PID 2068 wrote to memory of 5068	2068	chrome.exe	97
PID 2596 wrote to memory of 4156	2596	wtf1.exe	99
PID 2596 wrote to memory of 4156	2596	wtf1.exe	99
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 1384	2068	chrome.exe	102
PID 2068 wrote to memory of 2204	2068	chrome.exe	103
PID 2068 wrote to memory of 2204	2068	chrome.exe	103
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104
PID 2068 wrote to memory of 1184	2068	chrome.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nonagon.exe
"C:\Users\Admin\AppData\Local\Temp\Nonagon.exe"
1⤵
- DcRat
- Downloads MZ/PE file
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files\WinRAR\RarExtPackage.exe
  "C:\Program Files\WinRAR\RarExtPackage.exe"
  2⤵
  - DcRat
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\debug\VUQLBafFd1oU7p3k.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4424
    - - C:\Windows\debug\DebugTracker.exe
        
        "C:\Windows\debug\DebugTracker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3272
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat"
        6⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4648
        
        C:\900323d723f1dd1206\wininit.exe
        
        "C:\900323d723f1dd1206\wininit.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e4a125-9b4a-49fc-8ec8-43641589b74b.vbs"
        8⤵
        
        PID:1528
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78fe4477-6363-43c8-830d-822294c19f09.vbs"
        10⤵
        
        PID:5052
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdc366f3-d956-46f5-8a96-75a50e7fb5be.vbs"
        12⤵
        
        PID:4156
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83cc516-2c68-4444-b388-30190a6fef64.vbs"
        14⤵
        
        PID:2392
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb20cd01-d7f7-46a6-9daa-37b707a04837.vbs"
        16⤵
        
        PID:2684
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45772f22-82b2-4762-9fbc-1f2ca13b0f00.vbs"
        18⤵
        
        PID:5392
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdb0bdcc-6f51-4f63-bd5d-dd821d0187d0.vbs"
        20⤵
        
        PID:3848
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73401d19-5e8f-4107-ad9d-efcb5a34cd30.vbs"
        22⤵
        
        PID:2868
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4236966c-d054-471c-aafb-78e9d95c4757.vbs"
        24⤵
        
        PID:4004
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98cac277-68e1-460d-b048-b20a80bdd10b.vbs"
        26⤵
        
        PID:4764
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45d35053-3c2a-4f25-ae2b-279085ce5c58.vbs"
        28⤵
        
        PID:5896
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79da0592-8ae3-4d31-9ee8-f90b41c8bfde.vbs"
        30⤵
        
        PID:4676
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aa00f87-a53e-4079-83f5-b95d8477c7be.vbs"
        32⤵
        
        PID:4364
        
        C:\900323d723f1dd1206\wininit.exe
        
        C:\900323d723f1dd1206\wininit.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a80c5036-c3b0-4dbf-85a5-fc61244e2f18.vbs"
        34⤵
        
        PID:3448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f51b535-9b01-45a0-bbb5-c9164a1b83b2.vbs"
        34⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\404399f8-68d2-418b-8985-c54f5af0d002.vbs"
        32⤵
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad9d84c-ccd3-4b08-bd74-670e26df31b9.vbs"
        30⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9046f11-e20c-47fa-9f0c-e4bfa0a9c481.vbs"
        28⤵
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56847dce-39a1-483b-a26c-dd070ea9d2f0.vbs"
        26⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a82b3c0-6a7b-4491-a77c-d0246fec23fb.vbs"
        24⤵
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eff0443-8b45-4f73-a0d6-fae26f72b4a4.vbs"
        22⤵
        
        PID:4840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb009207-0c59-4ce8-a073-17e0c9d0ba2b.vbs"
        20⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\043fbe65-92a2-47f3-bf76-f137551b617b.vbs"
        18⤵
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e7f3675-f4d0-4372-b282-590768ed2932.vbs"
        16⤵
        
        PID:4344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b73ef29-aa96-4b3e-ab18-842a2a9ab2fa.vbs"
        14⤵
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f25c08-2e72-4904-abf9-ed12e1c747cb.vbs"
        12⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5920b758-0db8-4e60-a4b5-5d0cafff3a49.vbs"
        10⤵
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63484fd2-cc0c-437a-8dca-029601401384.vbs"
        8⤵
        
        PID:5924
- - C:\Windows\debug\wtf1.exe
    "C:\Windows\debug\wtf1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\Windows\debug\wtf.exe
    "C:\Windows\debug\wtf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\debug\cs2.exe
    "C:\Windows\debug\cs2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb21efdcf8,0x7ffb21efdd04,0x7ffb21efdd10
        5⤵
        
        PID:5068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1972,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1968 /prefetch:2
        5⤵
        
        PID:1384
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        
        PID:2204
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2520 /prefetch:8
        5⤵
        
        PID:1184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:640
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4356 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:4008
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,9925677559992218210,16518700674665117773,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4680 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1032

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\60739cf6f660743813\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\900323d723f1dd1206\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\RarExtPackage.exe

Filesize
1.5MB

MD5
84d934c68349e798f58a35df1f2f90c2

SHA1
be0974e4699ff06f52f0d5d380bc9cb8f0c50e19

SHA256
3b7218b64c14fc5125a93b4f898886d3bb9c1bb69f0696ae557bb2b79fe8e8f6

SHA512
83ea4479e8536b015a628c0a8ca0662b269875f303bd0193ad551022c04105406001990f3b261c8201ec031d92047450debe1c915a2e361eddb80b48b876d335

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
406a765ad977e554922fa0af732bfe65

SHA1
f7ce2057999714963be09b46bd3849edfcfa3005

SHA256
b035f307a96e2532215fed3268b5c40e99cd79cdb44538a3b7c38520fe60f300

SHA512
4d6d4cc54761a597836de88cd4e5f8f234662b2b8b7f7121427fd9ceba9fe6465f0666541c05acd58d2ce3374292b7dfd8f4bc7a71ce013b1f969664ef11625f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
5cb90c90e96a3b36461ed44d339d02e5

SHA1
5508281a22cca7757bc4fbdb0a8e885c9f596a04

SHA256
34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

SHA512
63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4236966c-d054-471c-aafb-78e9d95c4757.vbs

Filesize
709B

MD5
571dce4e3317f21665e409be0ef37dea

SHA1
bf7f044d434e3cac76664968d82570556e2ffcf2

SHA256
7ac0e4d0e78bac8b9d4d1e0c00c11ec310810505a387cfa676cb350d4ad8ffd7

SHA512
3a00af589eebb5cc704fe2eea7f5c047b7c18196d09cc85a2268f7c7228650ab723fb30c78ee5b207ea1c4d8865562f9deb417826e6ea797856dfe3bc843ab08

Download Submit
C:\Users\Admin\AppData\Local\Temp\45772f22-82b2-4762-9fbc-1f2ca13b0f00.vbs

Filesize
709B

MD5
d08d11e4391e8e4083cd804039812a4a

SHA1
3dcd8c44ba1040fd596cd407d90f6b0ac086580f

SHA256
803e2128390d0157c93782f53a53f00547fdd9c8b1758d867f6a20fdff5b5cb0

SHA512
559b209ad65fac6730919ba7269a767d2a52c543370f31bfa7f452681b98cb7310a6c486210c08c3383cdeffbd45b0842e1a76b6372a0131ca0ed728164cafa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\45d35053-3c2a-4f25-ae2b-279085ce5c58.vbs

Filesize
709B

MD5
50d18e2e802f3b813b4a84852a425554

SHA1
2c52dc9c1beea7e082cd00a0e1a577b840d271d0

SHA256
00d9ca364983552b3da714d92deba448436513bca5caa47fae70f265d28491c1

SHA512
2d4c89d1bf161da230f4e20ef6368bd5747dc41c51556824b7cd5a662ebab1a876ce0cede919f70b69afe10e7f84ce338489eedd79980a2d7d528010e398f0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\63484fd2-cc0c-437a-8dca-029601401384.vbs

Filesize
485B

MD5
7f0f9f7c1e711043f14c6c2ed27bbd3c

SHA1
93f9b262b1b9caafd81a79f61a91baaffedf809e

SHA256
225aa29beb4760b24aee03133a9988ccd3953f9729b21a3ffa06a84c8840c4fb

SHA512
488920b2e70890278dab5072bb0d0d304e9d0d08a0ac7feb47a896cb064c25107c2bee7eba5abd1e0f7958576219fb4753000cfed3ecd492e74015f33705a4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\73401d19-5e8f-4107-ad9d-efcb5a34cd30.vbs

Filesize
709B

MD5
44a25be7f72ea76f49bda9a23fe8d15f

SHA1
36a7a0be57ece3ca0ba0414d3c40d6b38581a62f

SHA256
861800ac9674b68062ac1201a395c10ce5e7c782588f76a7a7e1729efe8e89f7

SHA512
477b7734de880238b933afe7d6a916f1af95c92e9d2362448c7dd20845613c1eff161a1cf8637570ce620454343fdcd7af8834ea74935fb0af45c224768d2ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\78fe4477-6363-43c8-830d-822294c19f09.vbs

Filesize
709B

MD5
377b231ece995f5ac78b9d63e7101760

SHA1
8efafe9b5e7c580976e9b2f72b28fb5ea57a683c

SHA256
4de3938d0f4f4293b4a4e9a8bb45fbd7be2aa28225c85805f07fa925112c82c3

SHA512
2a36bd01aca4b89a57829378b1bee004c35f1a679cf73b1b94d7557ce0ae31ac5eeb4e039d5cf901ab061eb42fce1a018426ee07b0eff7caa6b39e20db74e9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\84e4a125-9b4a-49fc-8ec8-43641589b74b.vbs

Filesize
709B

MD5
0a8c65dc38835f8b167a4289eaca6664

SHA1
68d4f7789d5c1105969fd6987fc3d1e75b9876e9

SHA256
1d7234517828b20eac5b8ee4a731304940f58a99305cf3aa6df891dfcb20f6c9

SHA512
9499613faf88f45346709468b52ae66515bab9f7901f2b63e73acaceeb65e390fc6a535de042357cbb0eb63a3aaa614d28860662db165535c7f0f0c1dac87f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98cac277-68e1-460d-b048-b20a80bdd10b.vbs

Filesize
709B

MD5
3af007ccf18834352d7fff6a1cea2c8a

SHA1
6cbfa48128c919a5f9ebdd3d0f55337785cef6fb

SHA256
00ed1606c623df5e5f468028c7e18645269532a929f1fa40cb7192fd69181062

SHA512
7d795c3e33f1dca1c8f30f8a2e3d3b6c78440112aa17777b403aa3977e1a46f8e21831cc29f5e2ba1132ed1eb60501015f975d00dbf9ab79f59e0633a77b0a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\a83cc516-2c68-4444-b388-30190a6fef64.vbs

Filesize
709B

MD5
2a335ce642c17ea2638fdd6fd051823e

SHA1
0b65d3bd364247014e29d9060e5cc76099fdbc18

SHA256
c8a0236707aa33630d5ded16dd10357461c71d3289cc528ecd1d338b1d33318d

SHA512
32e3a7107bccde2b13e23a34988168aa567230e5a11ceb56a00fdccb724cd053ec3108cb8a516e1949643ddd50e2a97e508fd3563b468d30aa7c5aa904401297

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdb0bdcc-6f51-4f63-bd5d-dd821d0187d0.vbs

Filesize
709B

MD5
711416665eef546f730380c0263c7a71

SHA1
317a39a6eb2994dbaa3f72bd4327366e9fc269fb

SHA256
96418babffceddf9fe79a766295846c253a1002c20eef4d6389cf0a2ef844fef

SHA512
f2a8be10a102e1fdbc67e4e789bea2232621bfe97e72d94c9993e86db8d2c94dc92e661729440ffa26401f5bd71a78c9d03d123b479c26bf094474b5a11c58b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bn9GlWlL3z.bat

Filesize
198B

MD5
07dfb2f2e90fd8c5eaa75af5983586a0

SHA1
6f6e44b4d36a9a2bfcae5f745d879f097f8e61f4

SHA256
7029b8df567e674983ade3310bb880859db18ac2a1e60ba4d639b00e8826bba7

SHA512
7f74026bee9ef7a71a27984647d79b8e8d70468ba1900a47596df9f0f0e300e1fb89680617bae184f664aa68f6b2ac1466b47acf4fcb575ef07c4e72de7427b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb20cd01-d7f7-46a6-9daa-37b707a04837.vbs

Filesize
709B

MD5
8978aee794b886ba7e7b5a6faba04040

SHA1
c1e8aa893d83f7a782ad24f7a9f8cc8ea61c2c20

SHA256
dc1f3be1c1644027084e191716c42e91a595adf49809dce7b76319d58efae1f4

SHA512
711515f68260f56e9dc73c105f4fd880fa746de469b35b7fd6b71f06701269645c724d43c3f02517863ebcf4a635312e8e03420f6f702e7605312d345764f645

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdc366f3-d956-46f5-8a96-75a50e7fb5be.vbs

Filesize
709B

MD5
eae87e033dbcbe5bd1c1603b495320f6

SHA1
3424707914613d7de1f047dc16f043029f5f153b

SHA256
7a5daf72c15f707c29cbc575855b5ef54c94fa692bc0a04955bfa3e03e25e123

SHA512
f00e68b21e18aeefd6755129d86a444660b5ede02c21626781ae3175c364e4869b53d40afbd61afa3fc8b99f7d65a21b522eba2adb01767866e03593c8f5dc90

Download Submit
C:\Windows\debug\DebugTracker.exe

Filesize
942KB

MD5
22cbb5402a44f058c9176e04aa74b5f6

SHA1
10838c4611974ba2a5382442677dcf679840ecdd

SHA256
5d1930426e5e41548bcc214c4298c96028ea71d2a83f755e50fa5756c35a615a

SHA512
10d0693f4c6ff9cbcdf5b4ec8b0c690f11d9463c834c94fc7659bf9a89edae9c0b951e55f5909344caf4cccc1ea8d7635b58126cb3667847a290b4f0ac49f0a0

Download Submit
C:\Windows\debug\PXm40rAQJNL1dLLc2xrFc0EDNV.bat

Filesize
35B

MD5
159dec09c9bf063b00e4952d8665a601

SHA1
38bac5d19ebd3822e23b07932cd65ba7c2c08a9c

SHA256
f380d068932fe95e35273007cae8acc6d71bd62446c7fa7f0ed0da6bcb7b0c9c

SHA512
5cb79038ee2f712aead2b6180af25305326044711d9f8270b4075eabe7635c096eb8c4e22182633d639abf29293d28a7187d5c8bb5726cd6a9707b48961df073

Download Submit
C:\Windows\debug\VUQLBafFd1oU7p3k.vbe

Filesize
217B

MD5
f9ed37928a0d95692faa9f69d0cd5cb7

SHA1
77c2968f3d2ba8afb128307105861734b4fce286

SHA256
61ac997d454ae62b6025b60e2ac9f1c7031cf380f3d9d1395de3cd816d35554a

SHA512
cbe7954def42abac38dde5ba9f9fbc341e8e9161a9b0826e9fe779541fdf2b0057402d9c3dab608a9b01dc9c3229a122e13ac71bd52be978adbd628d16867b79

Download Submit
C:\Windows\debug\cs2.exe

Filesize
137KB

MD5
509f2eeba11a964fa8d22ab6994cee78

SHA1
544321089bbc1cbc6e51eabcfcb0c042f797142c

SHA256
21c7ecd4074b68a2d59b6b241037392a0f1ee2d6450fa3c72a3895f3563d5a2a

SHA512
f6eed65466977ef5b775e9dd1c204790b901e64bebc648e71b38062dd5d9207cc53fbfa4bf7b170dfc1fa41bfb1570cb6527863d9abe5d03efc49eedc5487cf0

Download Submit
C:\Windows\debug\wtf.exe

Filesize
265KB

MD5
47ba0b9187c62981c229372477e2b2a0

SHA1
9c861ee21eb30ec6aa35b02bd437f70c2ac25eee

SHA256
93a0a5f1d487c699ba0809428c732bb0d741bc41b4459490b24d9b03ee3183fc

SHA512
2a65a3b52751ce99918ab3e01db1cc21e08e5a5069fd0256a6601a3aee5d2d75ce842c9eeb147cd7d76612b0ab8f86adee2eab3fea8e410f55c8061a690585c7

Download Submit
C:\Windows\debug\wtf1.exe

Filesize
229KB

MD5
187795687849f43176bc94aff323435f

SHA1
22e3d510df771291a2a256946ac6268ccf5d10be

SHA256
d7ebf40f863050be539cd8cbba2463c48235aa509819ed3b066a1c0b4974203e

SHA512
b099c9cbd3f5d9cd44dae19c66e88d32e5c290fa3f8cd6818397b54f2f73d318738d96b295053254bed4f254a2ebdfb2a8e75402e61314343060447888d781a3

Download Submit
memory/2596-65-0x000001B6E49D0000-0x000001B6E4A10000-memory.dmp

Filesize
256KB

Download
memory/3272-128-0x0000000002680000-0x000000000268A000-memory.dmp

Filesize
40KB

Download
memory/3272-130-0x000000001B120000-0x000000001B128000-memory.dmp

Filesize
32KB

Download
memory/3272-129-0x0000000002690000-0x000000000269E000-memory.dmp

Filesize
56KB

Download
memory/3272-127-0x0000000000510000-0x0000000000602000-memory.dmp

Filesize
968KB

Download
memory/4748-70-0x000001F9876E0000-0x000001F987708000-memory.dmp

Filesize
160KB

Download
memory/4796-66-0x0000024C14050000-0x0000024C14096000-memory.dmp

Filesize
280KB

Download